Stayin’ alive: How global stolen data markets thrive on Telegram

Published: USENIX Security Symposium, 2026

Authors: Tina Marjanov, Taro Tsuchiya, Konstantinos Ioannidis, Jack Hughes, Nicolas Christin, Alice Hutchings

Abstract: Stolen data act as a catalyst for many cybercriminal activities, such as spam campaigns, spear phishing, and identity theft. Studying online communities that serve stolen data helps combat those criminal activities. While anonymous marketplaces and forums have traditionally been the primary venue for stolen data, the chat-based messaging application Telegram has emerged as a popular alternative. Given Telegram's increased accessibility to the general public, it remains unclear how stolen data communities adapt their operations to this platform, circumvent moderation efforts, and create resilient communities. In this work, we characterize: i) where stolen data communities appear within Telegram's ecosystem, ii) what types of stolen data they offer, iii) where they operate from, and iv) how they evade detection. This paper offers four main contributions. First, we provide one of the largest longitudinal datasets of Telegram stolen data channels. Over one year, we manually curate 1,521 channels and collect 14 million messages and 3.6 million shared files. We show that the stolen data communities are largely disjoint from other communities on Telegram. Second, we categorize the types of stolen data with the aim of understanding the potential cybercrime they enable. Third, while existing literature focuses on English-speaking communities, we find that many channels operate in non-English languages and source stolen data from non-English markets. Fourth, those communities deploy various techniques to evade regulation. Notably, gateway channels that provide links to other stolen data channels play a crucial role in increasing longevity and growth rate. We conclude by providing implications not only for academic researchers but also for Telegram and law enforcement agencies across different jurisdictions seeking to monitor and moderate those activities.

Presented at: 35^th USENIX Security Symposium (Baltimore, 2026)